Bugtraq mailing list archives

Re: Script for find domino's users

From: "David Litchfield" <david () nextgenss com>
Date: Mon, 4 Feb 2002 16:28:31 -0000

Two things can be done to avoid this :

1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
     Anonymous - No access
     [Default] - No access


In my opinion, a Domino webserver configured with these ACLs still allows

enumeration of

valid users.

If you try to GET a file named /mail/toto.nsf :
- toto doesn't exist => 404
- toto exists => redirection to the login page ("200 OK")

I'm not aware of any ACL configuration which forbid this behaviour.


If you've configured the Domino server to use form based logins/cookies
you'll get a 200 response. Else you'll get a 401 Unauthorized.
Either way you can still determine if the .nsf or .box file exists.
Cheers,
David Litchfield
http://www.ngssoftware.com/

Current thread:

Re: Script for find domino's users Chad Loder (Jan 31)
- <Possible follow-ups>
- Re: Script for find domino's users nicob (Feb 03)
  - Re: Script for find domino's users David Litchfield (Feb 04)
- RE: Script for find domino's users Jay D. Thomson (Feb 10)